Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Release Notes for the Cisco ASA Series, 9.3(x)

  • Viewing Options

  • PDF (1.0 MB)
  • EPUB (117.0 KB)
  • MOBI (162.4 KB)
  • Feedback

Table of Contents

Release Notes for the Cisco ASA Series, Version 9.3(x)

Important Notes

System Requirements

New Features

Upgrading the Software

Open and Resolved Bugs

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for the Cisco ASA Series, Version 9.3(x)

First Published: July 24, 2014

Last Updated: April 22, 2015

This document contains release information for Cisco ASA software Version 9.3(x).

Important Notes

  • The ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the ASA 5505.
  • Windows NT AAA server was deprecated—In ASA Version 9.3, the Windows NT AAA server is no longer supported.
  • (9.3(2) and later) SSLv3 deprecation and SSL server version default change—SSLv3 is now deprecated. The default for the ssl server-version command is now tlsv1 instead of any. If you configure any, sslv3, or sslv3-only, the command is accepted with a warning. In the next major ASA release, these keywords will be removed from the ASA.
  • ASA CX module upgrade requirements—For ASA Version 9.3(2) and later, only ASA CX Version 9.3.2.1 and later is supported. When upgrading your ASA, first upgrade the ASA CX software; otherwise the ASA CX module will become unresponsive.

System Requirements

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.

New Features

Note: New, changed, and deprecated syslog messages are listed in the syslog message guide.

New Features in Version 9.3(3)

Released: April 22, 2015

There are no new features in this release.

New Features in Version 9.3(2.200)

Released: December 18, 2014

The following table lists the new features for ASA Version 9.3(2.200).

This release supports only the ASAv.

 

Table 1 New Features for ASA Version 9.3(2.200)

Feature
Description
Platform Features

ASAv with KVM and Virtio

You can deploy the ASAv using the Kernel-based Virtual Machine (KVM) and the Virtio virtual interface driver.

New Features in Version 9.3(2)

Released: December 18, 2014

The following table lists the new features for ASA Version 9.3(2).

 

Table 2 New Features for ASA Version 9.3(2)

Feature
Description
Platform Features

ASA 5506-X

We introduced the ASA 5506-X.

We introduced or modified the following commands: service sw-reset-button, upgrade rommon, show environment temperature accelerator

ASA FirePOWER software module for the ASA 5506-X

You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a separate FireSIGHT Management Center is not required, although you can use one instead of ASDM. Note: This feature requires ASA 7.3(3).

 

Mixed level SSPs in the ASA 5585-X

You can now use the following mixed level SSPs in the ASA 5585-X:

  • ASA SSP-10/ASA FirePOWER SSP-40
  • ASA SSP-20/ASA FirePOWER SSP-60

Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1

ASA REST API 1.0.1

A REST API was added to support configuring and managing major functions of the ASA.

We introduced or modified the following commands: rest-api image, rest-api agent, show rest-api agent, debug rest-api, show version

Support for ASA image signing and verification

ASA images are now signed using a digital signature. The digital signature is verified after the ASA is booted.

We introduced the following commands: copy /noverify, verify /image-signature, show software authenticity keys, show software authenticity file, show software authenticity running, show software authenticity development, software authenticity development, software authenticity key add special, software authenticity key revoke special

Accelerated security path load balancing

The accelerated security path (ASP) load balancing mechanism reduces packet drop and improves throughput by allowing multiple cores of the CPU to receive packets from an interface receive ring and work on them independently.

We introduced the following command: asp load-balance per-packet-auto

 

Firewall Features

Configuration session for editing ACLs and objects.

Forward referencing of objects and ACLs in access rules.

You can now edit ACLs and objects in an isolated configuration session. You can also forward reference objects and ACLs, that is, configure rules and access groups for objects or ACLs that do not yet exist.

We introduced the following commands: clear configuration session, clear session, configure session, forward-reference, show configuration session

SIP support for Trust Verification Services, NAT66, CUCM 10.5, and model 8831 phones.

You can now configure Trust Verification Services servers in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5.

We introduced the following command: trust-verification-server.

 

Unified Communications support for CUCM 10.5

SIP and SCCP inspections were tested and verified with Cisco Unified Communications Manager 10.5.

Remote Access Features

Browser support for Citrix VDI

We now support an HTML 5-based browser solution for accessing the Citrix VDI, without requiring the Citrix Receiver client on the desktop.

Clientless SSL VPN for Mac OSX 10.9

We now support Clientless SSL VPN features such as the rewriter, smart tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.

Interoperability with standards-based, third-party, IKEv2 remote access clients

We now support VPN connectivity via standards-based, third-party, IKEv2 remote-access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).

We introduced or modified the following commands: ikev2 remote-authentication, ikev2 local-authentication, clear vpn-sessiondb, show vpn-sessiondb, vpn-sessiondb logoff

 

Transport Layer Security (TLS) version 1.2 support

We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN.

We introduced or modified the following commands: ssl client-version, ssl server-version, ssl cipher, ssl trust-point, ssl dh-group, show ssl, show ssl cipher, show vpn-sessiondb

We deprecated the following command: ssl encryption

 

AnyConnect 4.0 support for TLS version 1.2

AnyConnect 4.0 now supports TLS version 1.2 with the following four additional cipher suites: DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.

Licensing Features

Cisco Smart Software Licensing for the ASAv

Smart Software Licensing lets you purchase and manage a pool of licenses. Unlike PAK licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.

We introduced the following commands: clear configure license, debug license agent, feature tier, http-proxy, license smart, license smart deregister, license smart register, license smart renew, show license, show running-config license, throughput level

 

High Availability Features

Lock configuration changes on the standby unit or standby context in a failover pair

You can now lock configuration changes on the standby unit (Active/Standby failover) or the standby context (Active/Active failover) so you cannot make changes on the standby unit outside normal configuration syncing.

We introduced the following command: failover standby config-lock

 

ASA clustering inter-site deployment in transparent mode with the ASA cluster firewalling between inside networks

You can now deploy a cluster in transparent mode between inside networks and the gateway router at each site (AKA East-West insertion), and extend the inside VLANs between sites. We recommend using Overlay Transport Virtualization (OTV), but you can use any method that ensures that the overlapping MAC Addresses and IP addresses of the gateway router do not leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as HSRP to provide the same virtual MAC and IP addresses to the gateway routers.

Interface Features

Traffic Zones

You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.

Note You cannot apply a security policy to a named zone; the security policy is interface-based. When interfaces in a zone are configured with the same access rule, NAT, and service policy, then load-balancing and asymmetric routing operate correctly.

We introduced or modified the following commands: zone, zone-member, show running-config zone, clear configure zone, show zone, show asp table zone, show nameif zone, show conn long, show local-host zone, show route zone, show asp table routing, clear conn zone, clear local-host zone

 

Routing Features

BGP support for IPv6

We added support for IPv6.

We introduced or modified the following commands: address-family ipv6, bgp router-id, ipv6 prefix-list, ipv6 prefix-list description, ipv6 prefix-list sequence-number, match ipv6 next-hop, match ipv6 route-source, match ipv6- address prefix-list, set ipv6-address prefix -list, set ipv6 next-hop, set ipv6 next-hop peer-address

 

Monitoring Features

SNMP MIBs and traps

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASA 5506-X.

The ASA 5506-X have been added as new products to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The ASA now supports the CISCO-CONFIG-MAN-MIB, which enables you to do the following:

  • Know which commands have been entered for a specific configuration.
  • Notify the NMS when a change has occurred in the running configuration.
  • Track the time stamps associated with the last time that the running configuration was changed or saved.
  • Track other changes to commands, such as terminal details and command sources.

We modified the following command: snmp-server enable traps

 

Showing route summary information for troubleshooting

The show route-summary command output has been added to the show tech-support detail command.

Management Features

System backup and restore

We now support complete system backup and restoration using the CLI.

We introduced the following commands: backup, restore

New Features in Version 9.3(1)

Released: July 24, 2014

Table 3 lists the new features for ASA Version 9.3(1).

The ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the ASA 5505.

 

Table 3 New Features for ASA Version 9.3(1)

Feature
Description
Firewall Features

SIP, SCCP, and TLS Proxy support for IPv6

You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using SIP or SCCP).

We did not modify any commands.

Support for Cisco Unified Communications Manager 8.6

The ASA now interoperates with Cisco Unified Communications Manager Version 8.6 (including SCCPv21 support).

We did not modify any commands.

Transactional Commit Model on rule engine for access groups and NAT

When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We introduced the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit

 

Remote Access Features

XenDesktop 7 Support for clientless SSL VPN

We added support for XenDesktop 7 to clientless SSL VPN. When creating a bookmark with auto sign-on, you can now specify a landing page URL or a Control ID.

We did not modify any commands.

 

AnyConnect Custom Attribute Enhancements

Custom attributes define and configure AnyConnect features that have not been incorporated into the ASA, such as Deferred Upgrade. Custom attribute configuration has been enhanced to allow multiple values and longer values, and now requires a specification of their type, name and value. They can now be added to Dynamic Access Policies as well as Group Policies. Previously defined custom attributes will be updated to this enhanced configuration format upon upgrade to 9.3.x.

We introduced or modified the following commands: anyconnect-custom-attr, anyconnect-custom-data, and anyconnect-custom

 

AnyConnect Identity Extensions (ACIDex) for Desktop Platforms

ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is the method used by the AnyConnect VPN client to communicate posture information to the ASA. Dynamic Access Polices use these endpoint attributes to authorize users.

The AnyConnect VPN client now provides Platform identification for the desktop operating systems (Windows, Mac OS X, and Linux) and a pool of MAC Addresses which can be used by DAPs.

We did not modify any commands.

 

TrustSec SGT Assignment for VPN

TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on the ASA when a remote user connects.

We introduced the following new command: security-group-tag value

 

High Availability Features

Improved support for monitoring module health in clustering

We added improved support for monitoring module health in clustering.

We modified the following command: show cluster info health

Disable health monitoring of a hardware module

By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: monitor-interface service-module

 

Platform Features

ASP Load Balancing

The new auto option in the asp load-balance per-packet command enables the ASA to adaptively switch ASP load balancing per-packet on and off on each interface receive ring. This automatic mechanism detects whether or not asymmetric traffic has been introduced and helps avoid the following issues:

  • Overruns caused by sporadic traffic spikes on flows
  • Overruns caused by bulk flows oversubscribing specific interface receive rings
  • Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load

We introduced or modified the following commands: asp load-balance per-packet auto, show asp load-balance per-packet, show asp load-balance per-packet history, and clear asp load-balance history

SNMP MIBs

The CISCO-REMOTE-ACCESS-MONITOR-MIB now supports the ASASM.

Interface Features

Transparent mode bridge group maximum increased to 250

The bridge group maximum was increased from 8 to 250 bridge groups. You can configure up to 250 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.

We modified the following commands: interface bvi, bridge-group

 

Routing Features

BGP support for ASA clustering

We added support for BGP with ASA clustering.

We introduced the following new command: bgp router-id clusterpool

 

BGP support for nonstop forwarding

We added support for BGP Nonstop Forwarding.

We introduced the following new commands: bgp graceful-restart, neighbor ha-mode graceful-restart

 

BGP support for advertised maps

We added support for BGPv4 advertised map.

We introduced the following new command: neighbor advertise-map

 

OSPF Support for Non-Stop Forwarding (NSF)

OSPFv2 and OSPFv3 support for NSF was added.

We added the following commands: capability, nsf cisco, nsf cisco helper, nsf ietf, nsf ietf helper, nsf ietf helper strict-lsa-checking, graceful-restart, graceful-restart helper, graceful-restart helper strict-lsa-checking


 

AAA Features

Layer 2 Security Group Tag Imposition

You can now use security group tagging combined with Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet frames.

We introduced or modified the following commands: cts manual, policy static sgt, propagate sgt, cts role-based sgt-map, show cts sgt-map, packet-tracer, capture, show capture, show asp drop, show asp table classify, show running-config all, clear configure all, and write memory

 

Removal of AAA Windows NT domain authentication

We removed NTLM support for remote access VPN users.

We deprecated the following command: aaa-server protocol nt

 

Monitoring Features

Monitoring Aggregated Traffic for Physical Interfaces

The show traffic command output has been updated to include aggregated traffic for physical interfaces information. To enable this feature, you must first enter the sysopt traffic detailed-statistics command.

Upgrading the Software

See the following table for the upgrade path for your version. Some versions require an interim upgrade before you can upgrade to the latest version.

Note: There are no special requirements for Zero Downtime Upgrades for failover and ASA clustering with the following exception. Upgrading ASA clustering from 9.0(1) or 9.1(1): due to CSCue72961, hitless upgrading is not supported.

 

Current ASA Version

First Upgrade to:

Then Upgrade to:

8.2(x) and earlier
8.4(6)
9.3(1) or later
8.3(x)
8.4(6)
9.3(1) or later
8.4(1) through 8.4(4)
8.4(6), 9.0(4), or 9.1(2)
9.3(1) or later
8.4(5) and later
9.3(1) or later
8.5(1)
9.0(4) or 9.1(2)
9.3(1) or later
8.6(1)
9.0(4) or 9.1(2)
9.3(1) or later
9.0(1)
9.0(4) or 9.1(2)
9.3(1) or later
9.0(2) or later
9.3(1) or later
9.1(1)
9.1(2)
9.3(1) or later
9.1(2) or later
9.3(1) or later
9.2(x)
9.3(1) or later

For detailed steps about upgrading, see the 9.3 upgrade guide.

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.

Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs

Open Bugs in 9.3(3)

All open bugs severity 3 and higher for Version 9.3(3) are included in this search:

You can also perform other searches as desired.

For example, to find bugs that were added between 9.3(2) and 9.3(3), you can search for:

  • Product > Series/Model Cisco ASA 5500-X Series Next-Generation Firewalls
  • Releases > Affecting these releases 9.3(2., and 9.3(3)

The “9.3(2.” search finds all 9.3(2.x) interim releases and builds. “9.3(3)”includes any new bugs found on the released 9.3(3) version.

  • Filter > Status Open
  • (Optional) Filter > Severity 3 or higher

 

Open Bugs in 9.3(2.200) and Earlier

The following table contains open bugs in 9.3(2.200) and earlier.

 

Table 4 Open Bugs in ASA Version 9.3(2.200) and Earlier

Bug

Description

L2 Clustering:OSPFv2, Eigrp and OSPFv3 RIB not replicated to slave node
ASA SFR: memory corruption following a sys install
WEBVPN: DWA_8_5 can not be accessed in FF15 via Kenton
ASA Mgmt Session stuck on running "sh block exhaustion snapshot/history"
On deleting access-list attached to route-map,ASA is not throwing ERROR
ASA sporadic crypto errors with SSL VPN using TLS1.x DHE ciphers
5506-5508: "show file info lfbff-k8.SPA" missing version and wrong size
ACL Hash calculated using object NAME and not object value
ASA traceback in Thread Name: ci/console, assertion "snp_sp_action.c"
ASA5506: Packet-tracer shows output interface as "NP Identity Ifc
ASA low DMA memory on low end ASA-X -5512/5515 devices
ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC IKEv2
ASA: 'no monitor-interface service-module' command gone after reload.
ASA 9.3.1 meaningful log message for "DAP: Processing error: Code 2991"
ASA: speed slow down after creating multiple ACL entries via REST POST
show traffic protocol statistics shows huge counter value
"sysopt traffic detailed-statistics" not visible in "show run"
CI-STS: ASA-6-305010 syslog is not generated after clear nat
ASA teardown connection after receiving same direction fins
ASA: traceback may occur in DATAPATH-0-1339 with ASDM ACL config

Resolved Bugs

Resolved Bugs in 9.3(3)

All resolved bugs for Version 9.3(3) are included in this search:

Resolved Bugs in 9.3(2.200)

There were no resolved bugs in Version 9.3(2.200).

Resolved Bugs in 9.3(2)

The following table contains resolved bugs in ASA Version 9.3(2).

 

Table 5 Resolved Bugs in ASA Version 9.3(2)

Bug

Description

Syslog 106100 not generated on second context when cascading contexts.
vpn-sessiondb detail missing Filter Name after IKEv1 rekey
ASA: Crash when out of stack memory with call-home configured
Arsenal:twice NAT with service type ftp not working.
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode
ASA: Last packet in PCAP capture file not readable
Idle timer and half-closed idle timer reset by out of sequence SYN
ASA Webvpn CIFS vnode_create: VNODE ALLOCATION LIMIT 100000 REACHED!
ASA 8.4.6 MAC Address flapping with Port-Channels and IPv6
SSH timeout on ASA
ASA5585-SSP60 Traceback in Thread Name SSH on Capture Command
ASA may traceback when "write standby" command is entered twice
ASA stops decrypting certain L2L traffic after working for some time
ASA does not recognise "packet too big" for assembled ICMPv6 echo reply
ASA WebVPN Memory leak leading to Blank Portal Page/AnyConnect failure
ENH: Add "speed nonegotiate" command for fiber interfaces on ASA5585
object nat config getting deleted after reloaded with vpdn config
Traceback DHCP 'IP Address Assign' while upgrading ASAs in Failover
ASA allows IKEv1 clients to bypass address assignment, causing conflict
CWS: Large downloads on HTTPS fail when server side seq number wraps
ASA WebVPN Rewriter: Custom HTTP Headers Not Properly Rewritten
Traceback in Thread Name: ssh_init
ASA tmatch_summary_alloc block leak in binsize 1024
webvpn jscript post to wrong URL - ASA FQDN same as server FQDN
ASA Traceback in Thread name: ci/console while modifying an object-group
"no speed nonegotiate" command in ASA 5580 running 9.1.5 in show run
ASA - Traceback in DATAPATH-0-1275
ASA: Traceback Page Fault in vpnfol_thread_msg on Standby ASA
ASA: BGP not performing outbound route-filtering
No syslogs for ASDM or clientless access with blank username/password
Personal bookmarks get deleted with ASA in Active/Standby failover
ASA SSLVPN Citrix Java client error - java.lang.ClassNotFoundException
WebVPN: uploading customized portal.css breaks the portal login page
ASA crashes with Page Fault with multiple configuration sessions
ASA failover standby device reboots due to delays in config replication
ASA rewrites incorrect content-length in SIP message
ASA Smart Call does not hide IPv6 addresses for ND
IPv4 ACLs not working after merging IPv4 and IPv6 ACLs by upgrading
ASA : Failover descriptor does not change after reconfiguring VLAN
accounting not per rfc in dual factor auth case
SNMP: Power supply OIDs missing if no power input on 5500-X
ASA providing inaccurate Tunnel count to ASDM
IPsecOverNatT tunnel disappears after ASA failovers
Smart Tunnels Spawn "UNKNOWN Publisher" Warning w/Java 7 Update 60
Using "?" to list files in directory with thousands of files causing hog
Show memory app-cache command shows incorrect bytes if more than 2^32
vbscript getting caught in loop when passing thru ASA WebVPN Rewriter
Using ASA 9.2.1, Anyconnect weblaunch fails with URL-list in DAP
Traceback when executing "show crypto accelerator load-balance"
Local pool address not released -> Duplicate local pool address found
traceback in thread name: netfs_thread_init
WebVPN HTML Style "Overflow:Hidden" Breaks Custom Logon Pages
ASA - Traceback in thread name SSH while changing NAT configuration
ASDM Certificate validation failure
Cisco ASA VPN Failover Commands Injection Vulnerability
WebVPN: Rewriter issue with PATHIX Inspection Database
Cisco ASA SSL VPN Info Disclosure and DoS Vulnerability
ASA as DHCP relay, DHCP offer is not forwarded to the client
ASA: Increased processor temperature after upgrade
Webvpn: Support for XFRAME in additional portal and CSD pages
PPPoE with static IP address deny packets after reload ASA
Traceback caused by WCCP
Cisco ASA Failover IPSEC does not encrypt failover link
ASA : timeout floating-conn not working when PPPoE is configured
ASA 9.2 : Static Null route not redistributed over EIGRP to neighbors
ASA Radius Access-Request contains both User-Password and CHAP-Password
ASA: EIGRP neighbor relationship flapping
Traceback in Thread Name qos_metric_daemon caused by asdm history enable
Cisco ASA VNMC Input Validation Vulnerability
IPv6 tunneled route on link-local interfaces
ASA: CLI commands are not displaying options for local authorization
LDAP CLI: Quotes removed if ldap attribute-map name has spaces
DMA memory leak in 256 byte fragments with nbns-server config
ASA not sending RST packet for connections dropped by Botnet filter
ASA can use wrong trustpoint with rekeyed CAs are cfg in trustpoints.
ASA not sending PIM register message to RP
with Anyconnect deflate compression ASA gives ASA-3-722021 syslog
ASA returns wrong content-length for cut-thru proxy authentication page
ASA tracebacks in Thread Name: ssh due to watchdog
Incorrect content-length when maddr present with URI in SIP message body
IPv6 stateless autoconfiguration fails if managed config flag in RA
ASA L2TP Split-Tunnel DHCPC: DHCP daemon got msg for uninitialized
ASA: standby traceback during replication of specific privilege command
ASA Local CA generates unexpected renewal reminder message
Cisco ASA Software Version Information Disclosure Vulnerability
Traceback in clacp_enforce_load_balance with ASA Clustering
ASA Cluster slave unit loses default route due to sla monitor
Cisco ASA SSL VPN Memory Blocks Exhaustion Vulnerability
ASA - 80 Byte memory block depletion
ASA traceback in DATAPATH-0-2078 thread
ASA:Page fault traceback ACL FQDN Object-group
ASA Cluster: IDFW traceback inThread Name: DATAPATH-3-132
1550 block leak occur if DNS replies "refused" query response
Inspect rule defaults in standby transparent context on write standby
ASA5580 speed nonegotiate settings kept link down after shut/no shut
User membership not updated in parent group
ASA: RST packet forwarded with non-zero ACK number (and ACK flag clear)
There are two certificates related to one trustpoint on standby unit.
Object Group Search causing legitimate traffic to be dropped by ACL
Traceback on ASA when Attempting to Join Cluster with Low Memory
ASA ACL hitcount not correct for ACLs with service object groups
Traceback on standby ASA during hitless upgrade
DHCP Relay reloads after changing server interface
SDI authentication doesn't work in more than one contexts.
nested custom write functions causing blank page through rewriter
Control Plane ACL Not Working for Redirected HTTP Traffic
ASA assert traceback on Standby Unit in c_idfw.c
Traceback: pki-crl: Thread Name: Crypto CA with traffic through VPN L2L
ASA Client login timeout issue due to proxy match inconsistency
EIGRP tag incorrectly send by ASA
ASA DSCP marking applies to all SSL traffic
Failed to allocate global ID when adding service-policy
traceback @ hash_table_simple.c:192
ASA Crash in vpnfol_thread_msg thread
Webvpn: Support for XFRAME for non-critical URL's
ASA accounting request does not contain radius-class(25) attribute
RSH inspect conn not replicated to standby with cut_thru missing punt
ASA SCP Client does not prompt for password when not inc. in copy string
DATAPATH Traceback in snp_mp_svc_udp_upstream_data function
ASA Traceback in Thread Name: DATAPATH-6-2544
ASA Traceback in Thread Name: DATAPATH-3-1274
Resolved Bugs in 9.3(1)

The following table contains resolved bugs in ASA Version 9.3(1).

 

Table 6 Resolved Bugs in ASA Version 9.3(1)

Bug

Description

CSCsk87165
ENH - Add device serial number and platform string to show run output
CSCsm81086
Allow user to exclude the status of the SSM or SSP from failover checks
CSCsw79856
'LU allocate xlate failed' syslog should include more data
CSCsz39633
Double auth not triggered if using secondary-aaa-server per interface
CSCtb71323
Cisco ASA Webtype ACL By-Pass Vulnerability
CSCtc18329
ACL renamed but syslog doesn't reflect new name
CSCtc61848
ENH - show traffic should include packet size distribution and flow info
CSCtd14339
block and chunk data needs to be included at beginning of crashinfo
CSCtf39306
show blocks exhaustion snapshot only takes single snapshot
CSCtj51276
Implement a syslog to indicate the version of the anyConnect client
CSCtk66541
ENH: ASA drops ICMP Error Reply for uni-directional SCTP Traffic
CSCtn30286
DHCP Relay needs to handle DHCPREQUEST differently
CSCtx55340
Easy VPN Remote not re-establishing nem-st-autoconnect setting changed
CSCty28878
ASA SSLVPN/DTLS: Copy inner packet TOS field to outer header
CSCtz92586
A warning message is needed when a new encryption license is applied
CSCub05888
Asa 5580-20: object-group-search access-control causes failover problem
CSCub13208
ASA transparent mode should support 'inspect icmp error'
CSCuc39071
AC Script/customi:no 'linux-64' option(maybe it should be 'freeform'?)
CSCuc80975
ASA5500-x: "speed nonegotiate" command not available for fiber interface
CSCud24785
Slow throughput of AnyConnect client w/DTLS compared to IPSec IKEv1
CSCue51351
ASA: Huge NAT config causes traceback due to unbalanced p3 tree
CSCue87407
DNS: Inspection drops non in-addr.arpa PTR queries
CSCug14102
Need Syslog containing assigned IP address for AnyConnect IKEv2
CSCug18734
ENH: Citrix Receiver proxy on ASA support for backend Storefront server
CSCug51755
ICMP destination unreachable for L2TP PMTU error not sent to server
CSCug87445
SVC_UDP Module is in flow control with a SINGLE DTLS tunnel
CSCuh01570
Dropped packets/Retries/Timeout on applying a huge ACL on existing acl
CSCuh61321
AC 3.1:ASA incorrectly handles alternate DTLS port,causes reconnect
CSCuh79288
ASA 9.1.2 DHCP - Wireless Apple devices are not getting an IP via DHCPD
CSCui30677
ENH - SCP Support on the ASA
CSCui44095
ASA 9.1: timer app id was corrupted causing to Dispatch Unit traceback
CSCui53710
ACL Migration to 8.3+ Software Unnecessarily Expands Object Groups
CSCui56863
ASA may reload with traceback in Thread Name: vpnfol_thread_msg
CSCui63001
ASA traceback in Thread Name: fover_parse during command replication
CSCui79979
ASA 9.1.2 - Traceback in Thread Name: fover_parse during configuration
CSCui82751
%ASA-6-113005 should contain IP that initiated failed auth attempt
CSCui95392
WebVPN portal page misses large title after portal redesign
CSCuj26816
ENH - ASA and AAA Operations
CSCuj35576
ASA OSPF route stuck in database and routing table
CSCuj45406
ASA: Page fault traceback with 'show dynamic-filter dns-snoop detail'
CSCuj68420
ASA SMR: Multicast traffic for some groups stops flowing after failover
CSCuj83344
ASA cifs share enumeration DOS vulnerability
CSCuj98221
IDFW: user-group is not deactivated even if IDFW ACL is removed
CSCul00624
ASA: ARP Fails for Subinterface Allocated to Multiple Contexts on Gi0/6
CSCul02052
ASA fails to set forward address in OSPF route redistrubution
CSCul05079
ASA Memory usage in a context rises
CSCul07504
CWS: ASA forwards HTTPS packets to CWS tower in wrong sequence
CSCul16778
vpn load-balancing configuration exits sub-command menu unexpectedly
CSCul22237
ASA may drop all traffic with Hierarchical priority queuing
CSCul25576
ASA: Page fault traceback after running show asp table socket
CSCul28082
ASA traceback in Thread Name: DATAPATH due to double block free
CSCul33381
ASA 5505 SIP packets may have extra padding one egress of 5505
CSCul34143
ENH: Need to optimize messages printed on upgrade from 8.2- to 8.3+
CSCul34702
ASA Unicorn rewriter memory corruption
CSCul37560
ASA traceback when uploading an image using FTP
CSCul46000
2048 byte block depletion with Smart-Tunnel Application
CSCul46971
ASA Transparent mode doesn't pass DHCP discover message
CSCul47395
ASA should allow out-of-order traffic through normalizer for ScanSafe
CSCul49796
ASA Tranparent A/A - Replicated MAC addresses not deleted after timeout
CSCul52942
ASA failover cluster traceback when replicating the configuration
CSCul55863
ASA with ICMP insp. drops replies with 'seq num not matched' code
CSCul60058
Case sensitivity check missing for Web Type ACL and Access-group
CSCul60950
IPSEC VPN - One crypto ACE mismatch terminates all Phase2 with that peer
CSCul61545
ASA Page Fault Traceback in 'vpnfol_thread_msg' Thread
CSCul62357
ASA fails to perform KCD SSO when web server listens on non-default port
CSCul64980
Acct-stop for VPN session doesn't send out when failover occurred
CSCul65863
ASA IGMP receiver-specific filter blocks all multicast receivers
CSCul67705
ASA sends RST to both ends when CX policy denies based on destination IP
CSCul68338
WEBVPN IE 11: CIFS bookmarks showing with unicode
CSCul68363
EIGRP: Auth key with space replicates to Secondary with no space
CSCul69592
ASA:Webvpn character encoding instructions unclear
CSCul70062
Capture Isakmp w/ match statement cause Standby to reload at replication
CSCul70712
ASA: ACL CLI not converting 0.0.0.0 0.0.0.0 to any4
CSCul73785
WEBVPN multiple issues with LMS application
CSCul74286
ASA: Phy setting change on member interfaces not seen on port-channel
CSCul77465
BPDUs on egress from ASA-SM dropped on backplane
CSCul83331
Redundant IFC not Switching Back
CSCul94773
ASA TCP Proxy can corrupt data, cause ACK storms and session hangs
CSCul96580
ASA tears down SIP signaling conn w/ reason Connection timeout
CSCul96864
ASA translates the source address of OSPF hello packets
CSCul98420
'Route-Lookup' Behavior Assumed for Twice NAT with Identity Destination
CSCum00360
ASA - DHCP Discover Sent out during boot process
CSCum00826
ASA reloads on Thread name: idfw_proc
CSCum01313
ASA drops DHCP Offer packet in ASP when nat configured with "Any"
CSCum06272
ASA reloads due to SSL processing
CSCum11724
secondary standby looses his cluster license after upgrade to 8.4.(7.3)
CSCum12633
webvpn issue,part of the http request not sent by the client to ASA
CSCum16576
ASA not allowing AC IKEv2 Suite-B with default Premium Peer license
CSCum16787
SSH: ASA 9.1.3 rare traceback observed during ping command
CSCum23018
ASA traceback with Thread Name: IKE Common thread
CSCum24634
IKEv1 - Send INVALID_ID_INFO when received P2 ID's not in crypto map
CSCum26955
Webvpn: Add permissions attribute to portforwarder jar file
CSCum26963
Webvpn: Add permissions attribute to mac smart-tunnel jar
CSCum28756
ASA: Auth failures for SNMPv3 polling after unit rejoins cluster
CSCum32334
WebVPN: ASA webVPN fails to rewrite dynamic content of pubmed website
CSCum35118
ASA:Traceback in Thread Name: DATAPATH-23-2334
CSCum37080
Traceback in IKEv2 Daemon with AnyConnect Failure
CSCum39328
uauth session considered inactive when inspect icmp is enabled
CSCum39333
idle time field is missing in show uauth output
CSCum47174
WebVPN configs not synchronized when configured in certain order-v3
CSCum51780
Problem configuring QOS priority with user-statistic on same policy-map
CSCum54163
IKEv2 leaks embryonic SAs during child SA negotiation with PFS mismatch
CSCum56003
Smart-tunnel for windows-Liveconnect exception-JRE 1.7u51
CSCum60784
ASA traceback on NAT assert on file nat_conf.c
CSCum63417
ASA should not allow interface MTU config greater than 9202/9198
CSCum65278
ASA 5500-X: Chassis Serial Number missing in entity MIB
CSCum68923
Webvpn: connecting to oracle network SSO returns error
CSCum68951
Webvpn: web applications that may refresh a page with "#" fail
CSCum69144
HTTP redirect to the VPNLB address using HTTPS fails in 9.1.4/9.0.4.x
CSCum70178
Datapath:Observing Deadlock in different DATAPATH threads
CSCum72854
Traffic does not hit Twice NAT configured after Static PAT
CSCum75214
ASA5585-SSP60 Teardown process is delayed under heavy traffic condition
CSCum75871
Traceback on standby ASASM when executing the failover active command
CSCum76734
ASA Backup scansafe tower is never polled
CSCum80899
ASA: Watchdog traceback in Unicorn Admin Handler with TopN host stats
CSCum82760
ASA traceback in Unicorn Admin Handler
CSCum82840
ASA: Traceback in pix_flash_config_thread when upgrading with names
CSCum84247
ASA - VPN session leak for IKEv2 if L2L sessions land on RA tunnel group
CSCum85047
Traceback in Thread: IPsec message handler with rip-tlog_event_allocate
CSCum85858
ASA Cluster: Unable to stop captures on CCL in a context
CSCum86538
SunRPC GETPORT Reply dropped when two active sessions use same xid
CSCum89182
show cluster info goid output needs formatting
CSCum91360
Aborted AnyConnect Authentications can cause resource leak
CSCum92080
Sourcefire Defense Center not able to be rendered via Clientless SSL VPN
CSCum93731
ASA 9.1.3 SNMP Traceback in Thread Name: SNMP
CSCum94542
Traceback in Thread Name: ci/console
CSCum95843
IKEv2 routes not installed if Dynamic and Static Crypto Map Match
CSCum96204
ASA cluster - RSA key size 4096 bits is not replicated cluster members
CSCun04658
Assigned IP in show vpn-sessiondb anyconnect is missing.
CSCun07943
Windows ICMP based Tarceroute through ASA faling
CSCun08017
ASA WebVPN memory leak - blank portal page
CSCun09515
capture option to be provided to collect pcap frm node other than master
CSCun10189
Ping doesn't work between peer IPs when answer-only is configured
CSCun10844
Java rewriting takes too much time
CSCun11323
ASA: Traceback in aware_http_server_thread after upgrade
CSCun12838
ASA Traceback in DATAPATH-1-1400 with error message shrlock_join_domain
CSCun15560
ASA-IC-6GE-SFP-C SFP port doesn't come up
CSCun16022
ASA traceback in Thread Name: IKE Daemon: with CX redirect in place.
CSCun16067
DAP creates dynamic ACLs even if single ACL selected.
CSCun17705
Regex modification within context causes ASA traceback
CSCun19025
ASA WebVPN login page XSS vulnerability
CSCun20457
ASA 9.1.x should accept RIP V1 updates
CSCun21186
ASA traceback when retrieving idfw topn user from slave
CSCun23552
XenDeskTop7:cannot relogin to StoreFront ineterface after logoff
CSCun25386
Anyconnect: Split-Tunnel dose not work with subnet 0.0.0.0/1
CSCun25809
AnyConnect Password Management Fails with SMS Passcode
CSCun28999
When long line is entered on cli, all chars > 510 silentl y discarded
CSCun31725
ASA using IKEv2 rejects multiple NAT_DETECTION_SOURCE_IP payloads
CSCun32324
ASA Cluster ICMP with PAT not functional on reload
CSCun32388
ASA 5585 cluster indicating SSM card down but no SSM module
CSCun32897
Data path: ASA traceback in CTM message handler
CSCun40620
ASA IPSec - DNS reply for RA client dropped when LZS compression enabled
CSCun41702
L2TP/IPSec connection is failed when there is PAT router.
CSCun41817
Hash calculated for multiple ACEs on ASA are same
CSCun41818
ASA: Traceback in thread Name: DATAPATH-1-2581
CSCun43082
ASA Tears Down Connections With Reason of 'snp_drop_none'
CSCun44108
Unable to access webvpn portal when CSD and IE content advisor enabled.
CSCun44541
ASA cut a part of credential data during cut-thru proxy authentication
CSCun45520
Cisco ASA DHCPv6 Denial of Service Vulnerability
CSCun48868
ASA changes to improve CX throughput and prevent unnecessary failovers
CSCun59095
ASDM interface graph showing bogus values in S/W and H/W output queue
CSCun59657
ASA-SM not sending SNMP traps with 9.0.4
CSCun61466
terminal width command is deleted when removing other context
CSCun66161
5585-20 8.4.7.11 traceback in Thread Name Datapath w/ DCERPC inspection
CSCun66306
IDM/IME/File Transfer Slow For Certain Source and Destination IP Pairs
CSCun69669
Posture assement failing after HS upgrade to 3.1.05152
CSCun71016
OSPFv3 route stuck in routing table after failover
CSCun71586
MEMLEAK: 128 byte leaks when requesting IPv6 address for AnyConnect
CSCun75965
Name for IPv6 address causes objects to became empty after reload
CSCun78551
Cisco ASA Information Disclosure Vulnerability
CSCun81982
Packet-tracer showing incorrect result for certain NAT configurations
CSCun83186
Nameif command not allowed on TFW multimode ASA with clustering
CSCun85465
'ASA modifies Request Host Part under 'ACK' packet for SIP connection'
CSCun86984
ASA 5505 u-turned/hairpinned conn counts toward license local-host limit
CSCun88276
High CPU with IKE daemon Process
CSCun95075
ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule
CSCun96170
ASA 8.4.6: Traceback with fover_FSM_thread
CSCuo00627
Saleen copper module port speed/duplex changes ineffective
CSCuo02948
To the box traffic dropped due to vpn load-balancing (mis)configuration
CSCuo03555
SNMP: cpmCPUTotal5sec/1min/5min return "0"
CSCuo03569
VPN client firewall and split-tunneling mishandle "inactive" acl rules
CSCuo04965
Clientless scrollbar on right hand side of the screen doesn't render
CSCuo05186
ASA 9.1 DMA Memory exhaustion in 240 binsize
CSCuo08511
ASA 9.0.4.1 traceback in webvpn datapath
CSCuo09383
ASA WebVPN Memory leak leading to Blank Portal Page/AnyConnect failure
CSCuo10869
VPN-filter ACL drops all traffic after upgrade for pre 8.3 to 9.x
CSCuo11057
IPsec transform sets mode changes from transport to tunnel after editing
CSCuo11867
CSCub92315 fix is incomplete
CSCuo14701
Interop: relax PrintableString encoding enforcement in PKI
CSCuo19916
ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and Telnet
CSCuo23892
ASA SIP Inspect:'From: header' in the INVITE not NATed for outbound flow
CSCuo26501
ASA: Traceback in Thread Name: Dispatch Unit when enable debug ppp int
CSCuo26632
ASA SSLVPN OWA 2007: Unable to attach files >= 1 MB with KCD enabled
CSCuo27866
Traceback on DATAPATH-7-1524 Generating Botnet Filter Syslog
CSCuo32369
ASA WebVPN Rewriter: CSCOGet_location Improperly Pulls Full Web Address
CSCuo33186
Traceback with thread DATAPATH-2-1181
CSCuo44216
ASA traceback (Page fault) during xlate replication in a failover setup
CSCuo46136
ASA does not relay BOOTP packets
CSCuo49385
Multicast - ASA doesn't populate mroutes after failover
CSCuo54393
ASA: HTTP searchPendingOrders.do function failing over WebVPN
CSCuo54448
WebVPN capture causes conflict with other capture types
CSCuo58411
ASA IKEv2 "Duplicate entry in tunnel manager" (post 9.1.5)
CSCuo60435
ASA: Webvpn using incorrect password for auto-signon with Radius/OTP
CSCuo61372
ASA doesn't send invalid SPI notify for non-existent NAT-T IPSec SA
CSCuo63172
ASA 9.1.(3)4 Memory Leak in KCD
CSCuo64803
ASA Rewriter does not support encoded values for characters like " ' "
CSCuo70963
WebVPN: Javascript rewrite issue with Secret Server Application
CSCuo73792
ASA 9.x Management Port-Channel Cannot configure management-only in TFW
CSCuo78285
Firewall may crash while clearing the configuration
CSCuo78892
Traceback when using IDFW ACL's with VPN VPN Filters
CSCuo82612
5585-20 9.2.1 Traceback in Thread Name: DATAPATH-1-1567
CSCuo84225
CIFS drag & drop not working with remote file explorer over webvpn
CSCuo88253
ASA NAT: Some NAT removed after upgrade from 8.6.1.5 to 9.x
CSCuo89924
Giaddr to be set to the address of interface facing the client.
CSCuo91763
ASA allows to empty an access-list referenced elsewhere
CSCuo95074
ASA - crash in SSL Client compression in low memory conditions
CSCuo95602
Standby ASA traceback on Fover_Parse with Botnet Filter
CSCuo97036
show vpn load-balancing shows Public addr as Cluster IP addr for Master
CSCuo99186
Inconsistencies seen while sending warmstart trap on reload
CSCup00433
Failover Standby unit has higher memory utilization
CSCup01676
ASA: Crash in DATAPATH
CSCup05772
Snmp-server hosts entries are lost when upgrading from 9.1(4) to 9.1(5)
CSCup07447
ASA WebVPN: Script error when using port-forwarding
CSCup08262
9.0(4)5 - Unable to access internal site via clientless SSLVPN
CSCup08912
ASA SSLVPN Java plugins fail through proxy with Connection Exception
CSCup09236
L2TP/IPsec fragmentation change causing ICMP-PMTU being sent
CSCup09881
show webvpn kcd Error code 2 (ERROR_FILE_NOT_FOUND)
CSCup09958
ASA: Webvpn Clientless - certificate authentication fails intermittently
CSCup13265
ASA - Traceback in thread name: sch_prompt anonymous reporting
CSCup16512
ASA traceback in Thread Name : Checkheaps when snmp config is cleared
CSCup16860
IKEv2 DPD is sent at an interval not correlating to the specified value
CSCup24465
Jumbo frame calculations are incorrect or hard coded
CSCup26021
TCP intercept does not work after embryonic connection ends
CSCup26347
ASA Panic: CP Processing - ERROR: shrlock_join_domain
CSCup32973
ASA EIGRP does not reset hold time after receiving update
CSCup33868
ASA doesn't apply vpn-filter if group policy is assigned by Cisco VSA 25
CSCup36543
WebVPN Problem- icons missing, buttons not working
CSCup40357
SNMP: Unable to verify presence of second power supply in ASA 5545
CSCup44564
Remove Comment in Cookie
CSCup47885
ASA: Page fault traceback in DATAPATH when DNS inspection is enabled
CSCup48772
ASA - Wrong object-group migration during upgrade from 8.2
CSCup48979
ASA - Permitting/blocking traffic based on wrong IPs in ACL
CSCup50857
ASA traceback in thread name idfw_adagent
CSCup54184
ASA Overwrite any file on WebVPN RAMFS
CSCup59017
ASA with ACL optimization crashing in "fover_parse" thread

End-User License Agreement

For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

©2015 Cisco Systems, Inc. All rights reserved.